We found that a good work-around was to set a password expiration of 365 days (any will work, as long as it's greater than 0).
We concluded that Samba interprets the "Never expire" group policy as already expired. Apparently the group policy for "Never expire" actually sets it to expire in 0 days, which Samba reads as "expire immediately".